AWS · DEA-C01

Security And Governance Boundary — AWS Data Engineer (DEA-C01)

4%of exam questions (8 of 200)

Threat model scope determines the right security layer

The candidate sees 'centralize access' and defaults to IAM roles. The scenario specifies a multi-account environment where engineers need federated single sign-on and least-privilege access to data lake resources across accounts. That scope belongs to IAM Identity Center, not standalone IAM. GuardDuty handles threat detection; Security Hub aggregates findings across services. The exam tests whether you extract threat model scope before selecting a control — not whether you recognize the service names.

What This Pattern Tests

The exam describes a security requirement and tests which access control layer applies. IAM policies attach to principals (users, roles). Resource policies attach to resources (S3 bucket policies, KMS key policies). SCPs restrict what an entire AWS account can do. Permission boundaries cap what an IAM entity can be granted. The trap is applying EC2-level security group thinking to Lambda (which uses IAM execution roles), or writing an IAM policy when an SCP is needed for account-wide restriction. S3 Block Public Access, VPC endpoint policies, and Organizations tag policies each add another control plane the exam expects you to distinguish.

Decision Axis

Control scope determines the mechanism: principal-level (IAM), resource-level (resource policies), account-level (SCPs), or network-level (security groups, NACLs).

Associated Traps

Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Scope Overreach (4)CloudHSM with custom key stores for internal reports — when SSE-S3 is one checkbox.

More Top Traps on This Exam

Over-Provisioning · 38%Multi-AZ RDS with provisioned IOPS for a new microservice doing 100 reads per second. DynamoDB on-demand costs 90% less.

Decision Rules

Determine whether column-level access restrictions (Lake Formation) satisfy the HIPAA requirement for irreversible PII masking before cross-account sharing, or whether a data-transformation service (Glue DataBrew) paired with a customer-managed KMS key is required to satisfy both the masking and the encryption-at-rest BYOK constraints simultaneously.

AWS Glue DataBrewAWS Key Management Service (AWS KMS)

Whether data-transformation masking (Glue DataBrew recipe writing an anonymized output) or query-time access restriction (Lake Formation column permissions) satisfies the HIPAA requirement that PII is de-identified—not merely hidden from the consumer account—before cross-account delivery.

AWS Glue DataBrewAWS Key Management Service (AWS KMS)Amazon S3

Domain Coverage

Data Security and Governance

Difficulty Breakdown

Easy: 4Hard: 4

Build recognition speed →

See all DEA-C01 patterns →